undefined | Better HN

0 pointspinkmuffinere1y ago0 comments

“Worthless” is quite a strong claim. There isn’t much work I’ve encountered that’s truly “worthless”, even though bad work can make me quite upset. Anyways, that’s why I would often caveat.

0 comments

brohee1y ago

Mandatory audits by accredited auditors in order to participate in a market, inevitably create a market for accredited auditors that don't uncover too much but ensure all checkboxes are ticked. Much of the security industry is actually selling CYA and not actual security. The same dynamic at play means buyiong a home/boat/car you should get your own inspector, not blindly trust the seller's.

stackskipton1y ago

I'll say they are worthless because most of time they are dragging time away from things that could improve security. For example, $LastJob we spent a ton of time on SOC2 compliance and despite having applications with known vulnerabilities, we got hacked and ended up all over the news. Maybe of instead of spending all the time getting SOC2 compliance finished, we could have worked at upgrading those apps.

Actually, I doubt they would have upgraded the apps and pocketed the profits instead but SOC2 is providing cover instead of real change.

james_marks1y ago

SOC2 covers a set of vectors (mostly social/separation of controls from what I’ve seen), and you were attacked on another vector.

Maybe the org prioritized poorly and sucks overall, but that doesn’t mean SOC2 or compliance generally is worthless.

stackskipton1y ago

>SOC2 covers a set of vectors (mostly social/separation of controls from what I’ve seen)

THAT WAS THE PROBLEM. My bad, I thought most hacks were due poor software management but I'm glad SOC2 truly addressed the real problem.

1 more reply

more_corn1y ago

In this particular case it was worthless. If you have known vulnerabilities and you deprioritize that work to waste time on soc2, and get hacked because of it… soc2 was worthless. Because the whole point is security assurance. When you get hacked you’ve proved the opposite of security assurance.

But also you gotta have the balls to stand up to the guy pushing soc2 and say. No. There are known vulnerabilities. We are patching those first then we are doing soc2. The way I frame it is “we know we have critical vulnerabilities, we don’t need to go hunting for more till we fix them. Once we fix them we go looking for other ways to improve security posture” And if the ceo still insists (big client requires it so we’re doing soc2 simultaneously) you say fine, then hire a security consultant so we can go twice as fast. And if he refuses you quit because fuck that place.

more_corn1y ago

That’s some bad prioritizing there Lou.

j / k navigate · click thread line to collapse

0 comments

brohee1y ago

stackskipton1y ago

Actually, I doubt they would have upgraded the apps and pocketed the profits instead but SOC2 is providing cover instead of real change.

james_marks1y ago

SOC2 covers a set of vectors (mostly social/separation of controls from what I’ve seen), and you were attacked on another vector.

Maybe the org prioritized poorly and sucks overall, but that doesn’t mean SOC2 or compliance generally is worthless.

stackskipton1y ago

>SOC2 covers a set of vectors (mostly social/separation of controls from what I’ve seen)

THAT WAS THE PROBLEM. My bad, I thought most hacks were due poor software management but I'm glad SOC2 truly addressed the real problem.

1 more reply

more_corn1y ago

That’s some bad prioritizing there Lou.

j / k navigate · click thread line to collapse